DNS-based Authentication of Named Entities (DANE) is a method to further secure internet communications that rely on Transport-Layer Security (TLS). When you visit websites that start with https:// and show a closed lock icon in the address bar, then your browser ensures that the communication between your browser and the website are encrypted, and that the website presents valid credentials (a certificate which cannot easily be tampered with) so that you know you are on the real website and not an almost identical fake one. Your browser does this by having a huge list of authorities that are generally trusted to claim that they have verified that a certain certificate belongs to a certain party (e.g. your bank). As there are many authorities, it takes only one to be compromised or hacked (this has happened in the past) for the whole system to become less trustworthy.
What DANE does is put some extra record (of type TLSA) in the Domain Name System (DNS, translation of human-friendly names to computer-friendly numeric addresses) to specify what particular Certification Authority (CA) is being used by a website, or even the exact certificate that the website should present. When browsers implement the check on DANE then they will only approve the encrypted information flow if the website certificate matches the DANE record. Now if someone has bad intentions they can no longer just take any rogue CA to fake the website. To be secure, DANE can only be used when the DNS itself is secured using the Domain Name System Security Extensions (DNSSEC). Luckily this is the case for more and more domain names nowadays.
DANE not only works for websites protected with HTTPS but for a lot of secure internet applications such as secure email, secure instant messaging and secure internet phone and video calls. DANE is specified in RFC 6698 by the DANE workgroup of the Internet Engineering Task Force (IETF).
DANEtoolsThe DANEtools website was created to facilitate the adoption of DANE on the internet. Our mission is to:
We do this by providing online tools that can be used to analyse and verify domain and host setups. See also our Acronym Buster page for an explanation of all related terms. Please note that we provide the tools on a best-effort basis, we cannot guarentee that if the checks give all green, that your site is truely safe. If you do encounter any issues or discrepancies please let us know so that we can improve our tools further.